WebApp Sec mailing list archives
Re: IIS Security
From: Saqib Ali <docbook.xml () gmail com>
Date: Mon, 21 Nov 2005 08:04:48 -0800
1) The traversal attacks used in the past, required running the cmd.exe file on the system partition. If your WWWROOT was on the system partition, it was much easier to traverse to cmd.exe. It is much harder if your WWWROOT is on a non-system partition. 2) Some of the attacks is the past assumed that the wwwroot was c:\inetsdk\wwwroot so thesee attacks were successful. If the wwwroot partition had been on a separate partition these attacks might have failed. 3) It is much easier to control the permisssions for the anonymous account (INETUSER) that IIS uses, if the WWWROOT is located on a seperate partition. On 11/21/05, Schmidt, Albert E <AES () ola state md us> wrote:
If the default IIS account only has access to the root document, what is the harm of placing the root document on the same disk partition as the operating system? If the account does not have access to the operating system files.
In Peace, Saqib Ali http://www.xml-dev.com/blog/ Consensus is good, but informed dictatorship is better.
Current thread:
- IIS Security Schmidt, Albert E (Nov 21)
- Re: IIS Security Saqib Ali (Nov 21)
- Re: IIS Security Saqib Ali (Nov 21)
- <Possible follow-ups>
- RE: IIS Security Evans, Arian (Nov 21)